Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder and folder monitoring

gdavid
Path Finder
‎06-29-2012 09:04 AM

I installed a universal forwarder on my workstation to test monitoring some server directories for changes.
during the install i selected monitored c:\mytestfolder
i see events coming into my index but i can't find which inputs.conf file on my workstation it's specified in.

also for some reason the events come in like this.
WARN FileClassifierManager - The file 'C:\MyTestFolder\Tulips.jpg' is invalid. Reason: binary
INFO TailingProcessor - Ignoring file 'C:\MyTestFolder\Tulips.jpg' due to: binary

Tags (1)
0 Karma
Reply

gdavid
Path Finder
‎06-29-2012 01:05 PM

finally found it. it seems that settings that come in during the install are located in
C:/Program Files/SplunkUniversalForwarder/etc/apps/MSICreated/local

0 Karma
Reply

gdavid
Path Finder
‎06-29-2012 12:55 PM

no local folder under [etc/apps/search/]
the default folder has an empty inputs.conf

i may be using the wrong monitor. i want to see file/directory changes, not parse the files.
but until i can find where monitor is specified i cant change it.

0 Karma
Reply

Kate_Lawrence-G
Contributor
‎06-29-2012 12:52 PM

I believe in the windows version the inputs.conf is located under the etc/apps/search/local directory.
You also should probably exclude the JPG files in that inputs.conf file as it is binary and will throw that type of message in the splunkd.log (/var/log/splunk/splunkd.log)

Thanks,

Kate

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...